1. Field of the Invention
This invention relates to the field of secure boot loading of a computer system from a hard disk drive. In particular, the invention relates to a source for fast restoration of a complete operating image in computer system memory which is secure from attack by a virus or inadvertent corruption during operation of the computer.
2. Description of the Prior Art and Related Information
Most computer systems today take the form of a so-called xe2x80x9cpersonal computerxe2x80x9d or PC which has evolved into a ubiquitous tool applied in many forms. Examples include desktop systems, servers, and xe2x80x9cembeddedxe2x80x9d systems which incorporate a PC as the engine for performing dedicated functions. Common to most of these systems is a host microprocessor and a disk drive. The host microprocessor executes program code, including operating system code and application program code, and reads or writes data in conjunction with code execution. The code and associated data is stored for execution in a volatile random access memory array. The disk drive provides non-volatile secondary storage for the code and data. The extent of disk drive storage is orders of magnitude greater than the memory array, allowing numerous application programs, and potentially a plurality of operating systems, to reside on the disk drive for recall according to dynamic configurations of the machine.
The memory array is initially loaded during a bootstrap (boot) loading process which begins with the host microprocessor executing a relatively small BIOS program stored in a ROM. The BIOS program reads a default area of the disk which stores a boot program, known as a boot record, and stores the program in the memory array. The host microprocessor then executes the boot program to load an operating system core which may then complete the process of establishing an operating image in memory.
Unfortunately, the PC is susceptible to problems during this process. Computer viruses are rampant, many of which plant themselves in the boot record or in the operating system code on the disk so that they may be activated during operation of the machine. Other forms of computer viruses simply corrupt or destroy code on the disk which prevents the machine from booting up at all. Aside from virus attacks, it is possible that inadvertent corruption of disk data can prevent a proper boot of the computer system. This can be caused by user mistakes or by rogue applications which fail to abide by conventions or operating system safeguards.
Many tactics have been employed to defend the data on the disk drive from virus attack. One method was to provide BIOS code which monitored disk drive write commands to look for attempted boot record modification. This and similar BIOS-based methods depend on virus software employing BIOS calls to access the disk and therefore may be ineffective when a virus bypasses BIOS. Another known method employs bus snooping hardware which monitors the I/O bus to trap disk write operations to protected areas. All these methods are prone to defeat because the host processor is required to access the data and may be controlled by a virus.
In another aspect, it is known in the art to provide an abridged version of BIOS in ROM and use the ROM BIOS to load the full BIOS from the disk drive or some other alterable memory. Since the BIOS itself is susceptible to attack or corruption in these implementations, there have been efforts to provide protection. One such a system is disclosed in U.S. Pat. No. 5,022,077 to Bealkowski et al. Bealkowski discloses having the host processor send a command to the disk drive after a BIOS is loaded to establish a maximum block address. The BIOS code is stored on the disk at addresses which are higher than the maximum block address and are therefore inaccessible until the maximum block address is reset. This method also presents the requirement that the host processor controls the protection scheme and the protection method can be easily defeated.
A more complex BIOS protection scheme is disclosed in U.S. Pat. No. 5,844,986 to Davis. The Davis patent discloses a cryptographic coprocessor which acts as a gatekeeper to BIOS stored in a flash memory. The cryptographic coprocessor responds to BIOS addresses presented by the host microprocessor during BIOS reads and requires decoding an encrypted code to process updates to the BIOS. The Davis patent provides a solution to BIOS security but adds cost from flash memory and an additional processor, and does not address potential contamination of operating system code. Further, Davis admits that an intruder can corrupt the code if the secret key is obtained.
Yet another problem experienced by PC users is the time required to perform the boot load process. The operating system code on the disk drive is a complex arrangement of linked blocks which are loaded in many stages with considerable processing required. In addition, most complex operating systems require a previous orderly shut-down to achieve an efficient start-up. Unfortunately, the orderly shut-down is sometimes as lengthy as the boot process. One known solution to the boot load delay, sometimes known as xe2x80x9cresume from diskxe2x80x9d or xe2x80x9chibernation,xe2x80x9d has been to store the system memory image in special partition on the disk drive. A subsequent start-up operation retrieves the image and resumes at the prior state of the machine. This solution is advantageous when starting the machine, but still presents a significant shut-down delay. Further, the image on disk is susceptible to virus attack or corruption as noted above.
There is a continuing need, therefore, for a computer system boot process which is fast and secure from virus attack or inadvertent corruption.
This invention can be regarded as a computer system comprising a host computer, a disk drive, and means defining a host interface between the host computer and the disk drive. The host computer comprises a host microprocessor having an inactive state and an active state. The host microprocessor has an input for receiving a state-control signal and while the state-control signal is asserted remains in the inactive state, and while the state-control signal is de-asserted remains in the active state. While in the active state, the host microprocessor executes host-executable code including operating system and application program code. The host computer further comprises a memory array for storing the host-executable code and data, means coupled between the memory array and the host interface for reading from and writing to the memory array; and means responsive to a signal on the host interface for asserting and de-asserting the state-control signal.
The disk drive comprises a disk having disk addresses for storing and retrieving data including data defining a host computer memory image source, means for storing and retrieving drive-executable code including code defining a boot control program, and a drive microprocessor for executing the drive-executable code including the boot control program.
The host computer memory image source is stored at disk addresses which are accessible by the drive microprocessor when executing the boot control program and which are protected from access by the host computer. The host computer memory image source further comprises an address pointer to establish an address in the memory array for storing at least a portion of the memory image source.
The computer system further comprises means for transferring the host computer memory image source to the memory array via the host interface while the drive microprocessor is executing the boot control program means controlled by the drive microprocessor for causing the state-control signal to be asserted.
The invention may be used with a host interface which is either a memory referenced interface or an I/O interface.
In another aspect, the invention may be viewed as a method for providing a secure boot load image in a computer system comprising a disk drive and a host computer. The method comprises the steps of providing a host memory image source; providing a protected area of the disk sufficient to store the host memory image source; providing an encrypted code; providing code executable in the disk drive to prevent access to the protected area by the host computer unless the protected area command and the encrypted code is sent to the disk drive by the host computer; transmitting the protected area command and the encrypted code to the disk drive; transmitting the host memory image source to the disk drive; and storing the host memory image source in the protected area.
Preferably the encrypted code is derived from the disk drive serial number. The image source may be stored as a contiguous image or as a compressed image.
In another aspect, the step of providing a host memory image source may include the steps of connecting to a remote distribution site; transmitting an identification code which uniquely identifies the computer system to the remote distribution site; downloading the host memory image source from the remote distribution site; and validating the host memory image source.
In still another aspect, the invention can be summarized as a method for securely booting the aforementioned computer system. The method comprises the steps of asserting the state control signal; executing the boot control program with the drive microprocessor to retrieve a host memory image source from the disk drive; and while the boot control program is executed and the state-control signal is asserted, transferring the host memory image to the memory array.
The foregoing and other features of the invention are described in detail below and set forth in the appended claims.